[dns-operations] DNS ANY record queries - Reflection Attacks
Phil Regnauld
regnauld at nsrc.org
Wed Sep 12 10:57:45 UTC 2012
paul vixie (paul) writes:
>
> moreover, the definition of the word "identical" is not what one would
> expect. perhaps we should say "vastly similar" rather than "identical".
> one of the things DNS RRL counts is the number of times a negative
> answer is generated, per-client-netblock, per-SOA-apex. these responses
> are not identical but they all flow from the same SOA. another thing we
> count is the number of times a wildcard is used per-client-netblock.
Thanks for the examples. In my opinion, when one is the authority,
DNS RRL makes a lot of sense: "I've sent nearly identical answer
a statistically sufficient number of times to be certain that a
legitimate requestor should have received it" is good enough for me :)
I do wish we had similar knobs in NSD (I thought version 3 was going
to offer that) - http://www.nlnetlabs.nl/downloads/NSD_DenicTechnical.pdf,
but that's from 2009.
> these responses are in no way identical but we treat them as such for
> the purpose of rate limiting. these are things i do not think a firewall
> can do unless it's so DNS-aware that it knows where the apex is, knows
> what names exist, and knows what wildcards exist. (more on that in my
> response to colm's thread.)
It's not really a firewall at this point, it's a distributed DNS server
with an aggressive query filter in front of it. It's part of the
application, really.
Phil
More information about the dns-operations
mailing list